EAP-TTLS (PAP) not working with NT domain - debian freeradius 1.1.7
A.L.M.Buxey at lboro.ac.uk
A.L.M.Buxey at lboro.ac.uk
Wed Mar 19 17:57:01 CET 2008
Hi,
>
> Okey, i've searched and searched for a hint, hopefully this isn't one of
> those RTFM messages, and hopefully I didn't read an invalid FM ;-)
>
> I'm trying to "emulate" the edunet network wireless roaming network, which
> primarily uses (in this order):
>
> EAP-TTLS
> PEAP
> EAP-MSCHAPv2
>
> My Access point is a router running the DD-WRT firmware which AFAICT should
> work fine for 802.1x support.
>
> I first started on this page:
> http://www.linuxinsight.com/building-debian-freeradius-package-with-eap-tls-ttls-peap-support.html
> which provides instructions on rebuilding the debian freeradius 1.1.7
> package with ttls/peap/etc..
>
> I'm authenticating from our local NT domain since we already have it, and
> in theory, these particular auth choices all work fine with the ntdomain
> password - according to the "Deploying Radius: The Book" chart I found
> online.
>
> With that, and a few configuration options (like making sure the host was
> connected to the domain and ntlm_auth functioned as required), i've managed
> to get PEAP and EAP-MSCHAPv2 working fine to the ntdomain.
>
> EAP-TTLS works fine with an account in the "users" file that has a clear
> text password, as well as a local /etc/password account. Ideally this
> should work with the ntdomain as well.
> I'm testing with a laptop running XP, with the secureW2 package installed
> to provide TTLS.
if you are using EAP-TTLS/PAP then you'll need a plain text password -
this can be done via kerberos to the AD. otherwise EAP-TTLS/MSCHAPv2
should work just like PEAP
i'd advise to get id of the DEFAULT Auth := System line from the users file
alan
More information about the Freeradius-Users
mailing list